Main Vulnerability Database SB2016070205

SB2016070205 - Information disclosure in npm CLI plugin for Node.js

Published: July 2, 2016 Updated: October 14, 2019

Security Bulletin ID SB2016070205

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2016-3956)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the affected software includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers. A remote attacker can gain unauthorized access to sensitive information on the system.

Remediation

Install update from vendor's website.

References

https://github.com/npm/npm/issues/8380
https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401
https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29
http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability